If you work in computer security, your Twitter feed and/or Inbox has just exploded with stories about not just one but two new holes in cryptographic protcols. One affects WiFi; the other affects RSA key pair generation by certain chips. How serious are these? I’m not going to go through the technical details. For KRACK, Matthew Green did an excellent blog post; for the other, full details are not yet available. There are also good articles oneach of them. What’s more interesting are the implications.

As I’ve said before about crypto, don’t panic. Encryption flaws are sexy and get academics very excited, but they’re rarely particularly serious for most people. That’s very true here. In fact, at a guess, the most widespread problem, with WiFi, will have fewer serious consequences than the RSA problem.

The reason that crypto issues are not in general very serious is that someone who wishes to exploit them needs both the flaw and access — and access is rarely easy. For this new WiFi attack, remember that the range of WiFi is about 100 meters; this is not something that the attackers can do over the Internet. (Yes, with a good, directional antenna you can manage about a kilometer. That’s still not much, and since the attack depends on sending a packet to the target machine you need very precise aim on someone’s phone or computer.)

There’s a really important public policy angle to this, though. We’re hearing lots of calls for “exceptional access”, a mechanism for lawful government access to encrypted content. I and my colleagues have long warned that this is dangerous because cryptographic protocols are very subtle. In retrospect, this new flaw is blindingly obvious — very bad things happen if you replay message 3 of a 4 message sequence — but it took 13 years for it to be noticed, in a protocol that is used by literally billions of devices. (Btw — by “blindingly obvious” I’m not insulting the discoverer, Mathy Vanhoef. He did wonderful work finding it when no one else had, by asking himself, “I wonder what happens if….”.) Oh yes — the protocol was mathematically proven correct — but the proof didn’t cover what the attack actually does.

Cryptographic protocols are hard.

So who is affected by this, and what should you do? The problem is on the client side; WiFI access points are not affected. You need to install software updates on every one of your WiFi devices. Apparently, iOS and Windows are not as seriously affected, because they didn’t completely follow the (flawed!) spec. Android phones are vulnerable and are less likely to be updatable. Internet of Things devices are the most at risk, given their poor history of being updated.

Again, though, most consumers are not at risk. Businesses are, and ones with many devices, e.g., credit card readers, connected by WiFi have a lot of scrambling to do.

The other flaw appears to be more academically interesting and — for some of those affected — far more serious. Briefly, in the RSA encryption algorithm, one has to generate a “public key”; this key is (in part) the product of two large, random primes. We normally write this as

n = pq

Normally, n is public; however, p and q must be kept secret.

The problem seems to be in the way p and q were generated. Normally, you generate large, random numbers and test them for primality. It appears that the code library used with a particular chip had something wrong with the process for generating primes, resulting in an n that is easy to factor into its constituent p and q. Interestingly, it’s possible to detect these weak values of n very cheaply and easily, without trying to factor them.

So — who is affected by this bug? First, remember the access issue. An attacker needs access to your encrypted traffic or encrypted device. That’s not easy. Furthermore, if you used 2048-bit keys — and that’s been standard for a fair number of years — the attack isn’t cheap. On a 1000-core Amazon cloud, it would take 17 days and cost more than US$40,000. Translation: it isn’t an attack that can be done casually or against bulk traffic. It’s a targeted attack that can be launched only by a well-resourced adversary, and only against a high-value target.

But there is one serious cause for concern. If you have email encrypted with one of these flawed keys, or if you have an electronic document signed with one, someone can attack it in the future — and that $40K cost and 17-day time will only drop.

* * *

Update Oct 16, 2017: According to later information, both the access point and the clients must be patched. This is more serious, since many access points are abandonware.

Update Oct 17, 2017: A nasty thought happened to occur to me, one that’s worth sharing. (Thinking nasty thoughts is either an occupational hazard or an occupational fringe benefit for security people—your call…hellip;)

I, along with many others, noted that the KRACK flaw in WiFi encryption is a local matter only; the attacker has to be within about 100 meters from the target. That’s not quite correct. The attacking computer has to be close; the attacker can be anywhere.

I’m here at home in a Manhattan apartment, typing on a computer connected by wired Ethernet. The computer is, of course, WiFi-capable; if I turn on WiFi, it sees 28 other WiFi networks, all but two of which use WPA2. (The other two are wide open guest networks…) Suppose someone hacked into my computer. They could activate my computer’s WiFi interface and use KRACK to go after my neighbors’ nets. Better yet, suppose I’m on a low-security wired net at work but am within range of a high-security wireless network.

I’m not certain how serious this is in practice; it depends on the proximity of vulnerable wired computers to interesting WiFi networks. Wired networks are no longer very common in people’s houses and apartments, but of course they’re the norm in enterprises. If you’re a sysadmin for a corporation with that sort of setup, KRACK may be very serious indeed.

Written by Steven Bellovin, Professor of Computer Science at Columbia University